I know that is easy to get the effective permissions of one group or user over a folder, but I want to know if it is possible to get the effective permissions for all users on my shared folder. There is any tool to do that?

4 Answers
4

The built-in GUI dialog for Security in Explorer will show all explicit and inherited permissions on a file or directory. If a user isn't listed, either by name or by group membership, they have no rights. There's no "effective rights" dialog that I'm aware of, if you're used to and coming from a Netware environment. And you probably wouldn't want a dialog to automatically expand group memberships, since you can have things like "domain users", which would take a while to enumerate in a large domain.

/edit - of course, there's the "effective rights" tab in modern Windows, for a given user or group. Jeez, losing my mind. My point about enumerating "all users" stands - that would take a long time in a large domain, and probably be awful in a large forest.

An ugly idea, trying to enumerate the "effective permissions" of a large number of users on even a single resource. Every time I've been asked about reporting on effective permissions for large groups of users I've always found that the issue at the kernel of the request is one of lack of centralized control and design of permission hierarchies. I wouldn't be surprised if that's at play here.
–
Evan AndersonJan 21 '11 at 8:40

Well, my domain is very simple, only 50 users on a single domain controller and the files are on same server, I think that in this case could be faster than one more complex.
–
SantiagoJan 22 '11 at 10:42

@EvanAnderson Good points, but consider the strict auditing policies of outside agencies coming in and demanding a report. Even if you have centralized control and well designed permission hierarchies, to audit the permissions one must connect the dots of user->group->permissions * # resources * # users. Auditors often do not go for the let-me-explain-how-I'm-doing-things-the-right-way-and-you-take-my-word-that-no-o‌​ne-has-permissions-they-shouldn't. I know some have custom tools that randomly select resource+user to review select permissions, which avoids enumerating the entire system.
–
AaronLSJun 19 '14 at 3:07

@AaronLS - any audit taking place is in the context of what's in-scope for the audit. The companies that I've worked for, going through such audits, will show the ACLs on the folders or files that fall under the scope. The companies work hard to limit and define what's in-scope.
–
mfinniJun 19 '14 at 3:23

1

@AaronLS - I've been on both sides of that type of auditing situation (being audited and being the auditor) and I've never seen or produced a report describing all resources and effective permissions for all users. How would the mechanics of such a report in an environment of any appreciable size work? I could live with a control that requires an audit trail of resource permission changes and user group membership changes, personally. The effective permission for a user to any resource at a point-in-time could be calculated from that audit trail.
–
Evan AndersonJun 19 '14 at 17:33

I think what you are looking for is SetACL. It is very, very powerful and our storage engineers use it to audit shares before migrating them to different boxes. I too have used it and have to say it is pretty useful.

Here is a sample command we use to see all permissions on a share folder. You want to do it on the server itselt.

I don't see how this is going to do what the OP wants. The OP is asking for the effective permissions for users. The command-line you're quoting there is going to dump the ACLs specified on the resource. The effective permissions would be based on mapping the user's group membership to the ACLs specified on the resource (just like the OS does when the user attempts to access the resource).
–
Evan AndersonJan 21 '11 at 8:38

is there such a thing as an "Active Directory Folder"? I think you mean a windows folder - or an Active Directory OU or Container? If you mean Windows folders, I used to use TreeSize which is mostly for calculating the space of subfolders of directories but also has a security tab which will show all the effective permissions assigned to folders, subfolders and files.